January 27, 2025
Last week, the NY Health Information Privacy Act (S.929/A.2141) passed in both houses of the NYS Legislature. The legislat
For health data privacy advocates, this legislation is an important step toward giving individuals control over their health information and preventing hostile actors from gaining information about the provision of criminalized care, such as abortion, gender affirming care, etc. It remains to be seen whether the Governor will sign the bill into law given strong pushback against passage by tech companies that are lobbying for the Governor to veto the bill.
Here’s the language of the bill that passed in both houses and now awaits the Governor’s review and final action:
(NOTE: At the end of the legislation (pasted directly below) there is more discussion and information regarding another bill on the same topic.)
STATE OF NEW YORK ____________________________________________________________ ____________ 2141 2025-2026 Regular Sessions IN ASSEMBLY January 15, 2025 ___________ Introduced by M. of A. ROSENTHAL, REYES, DINOWITZ, SIMON, CUNNINGHAM, TAPIA, SHIMSKY, EPSTEIN, BICHOTTE HERMELYN, BURDICK, BRAUNSTEIN, LUCAS, SEAWRIGHT, STIRPE, GLICK, KIM, DILAN, TAYLOR, SEPTIMO, GONZA- LEZ-ROJAS, LEVENBERG, MITAYNES, RAMOS, OTIS -- read once and referred to the Committee on Science and Technology AN ACT to amend the general business law, in relation to providing for the protection of health information The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new article 2 42-A to read as follows: 3 ARTICLE 42-A 4 NEW YORK HEALTH INFORMATION PRIVACY ACT 5 Section 1120. Definitions. 6 1121. Requirements for communications to individuals. 7 1122. Lawfulness of processing regulated health information. 8 1123. Individual rights. 9 1124. Security. 10 1125. Service providers. 11 1126. Exemptions. 12 1127. Enforcement. 13 1128. Contracts and waivers void and unenforceable. 14 § 1120. Definitions. As used in this article, the following terms 15 shall have the following meanings: 16 1. "Deidentified information" means information that cannot reasonably 17 be used to infer information about, or otherwise be linked to a partic- 18 ular individual, household, or device, provided that the regulated enti- 19 ty or service provider that processes the information: 20 (a) Implements reasonable technical safeguards to ensure that the 21 information cannot be associated with an individual, household, or 22 device; EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD01741-01-5
A. 2141 2
1 (b) Publicly commits to process the information only as deidentified
2 information and not attempt to reidentify the information, except that
3 the regulated entity or service provider may attempt to reidentify the
4 information solely for the purpose of determining whether its deiden-
5 tification processes satisfy the requirements of this section; and
6 (c) Contractually obligates any recipient of the deidentified informa-
7 tion to comply with all requirements of this section.
8 2. "Regulated health information" means any information that is
9 reasonably linkable to an individual, or a device, and is collected or
10 processed in connection with the physical or mental health of an indi-
11 vidual. Location or payment information that relates to an individual's
12 physical or mental health or any inference drawn or derived about an
13 individual's physical or mental health that is reasonably linkable to an
14 individual, or a device, shall be considered, without limitation, regu-
15 lated health information. Regulated health information shall not
16 include deidentified information.
17 3. "Process" or "processing" means an operation or set of operations
18 performed on regulated health information, including but not limited to
19 the collection, use, access, sharing, sale, monetization, analysis,
20 retention, creation, generation, derivation, recording, organization,
21 structuring, storage, disclosure, transmission, disposal, licensing,
22 destruction, deletion, modification, or deidentification of regulated
23 health information.
24 4. "Regulated entity" means any entity that (a) controls the process-
25 ing of regulated health information of an individual who is a New York
26 resident, (b) controls the processing of regulated health information of
27 an individual who is physically present in New York while that individ-
28 ual is in New York, or (c) is located in New York and controls the proc-
29 essing of regulated health information. A regulated entity may also be a
30 service provider depending upon the context in which regulated health
31 information is processed.
32 5. "Sell" means to share regulated health information for monetary or
33 other valuable consideration. Selling does not include the sharing of
34 regulated health information for monetary or other valuable consider-
35 ation to a third party as an asset that is part of a merger, acquisi-
36 tion, bankruptcy, or other transaction in which the third party assumes
37 control of all or part of the regulated entity's assets.
38 6. "Service provider" means any person or entity that processes regu-
39 lated health information on behalf of a regulated entity. A service
40 provider may also be a regulated entity depending upon the context in
41 which regulated health information is processed.
42 7. "Third party" means a person or entity other than the individual,
43 regulated entity, or service provider involved in a transaction or
44 occurrence that involves regulated health information. A third party may
45 also be a regulated entity or service provider depending upon the
46 context in which regulated health information is processed.
47 § 1121. Requirements for communications to individuals. All notices,
48 disclosures, forms, and other communications to individuals provided
49 pursuant to this article shall comply with the following:
50 1. In general, all communications shall use plain, straightforward
51 language, avoiding technical or legal jargon, and must be provided
52 through an interface the individual regularly uses in connection with
53 the regulated entity's product or service.
54 2. All communications shall be reasonably accessible to individuals
55 with disabilities, including by:
56 (a) utilizing digital accessibility tools;
A. 2141 3
1 (b) for notices, complying with generally recognized industry stand-
2 ards, including, but not limited to, current standards set by standards
3 setting bodies such as the World Web Consortium, or other similar stand-
4 ards setting bodies as determined by the attorney general; and
5 (c) for other communications, providing information about how an indi-
6 vidual with a disability may access the communication in an alternative
7 format.
8 3. All communications shall be available in the languages in which the
9 regulated entity provides information via its website and services. Any
10 direct communication to an individual shall be provided in the language
11 in which the individual ordinarily interacts with the regulated entity
12 or its service provider.
13 4. A regulated entity shall make any notice for processing pursuant to
14 a permissible purpose, pursuant to subparagraph (ii) of paragraph (b) of
15 subdivision one of section eleven hundred twenty-two of this article, or
16 form for processing pursuant to authorization, pursuant to subparagraph
17 (i) of paragraph (b) of subdivision one of section eleven hundred twen-
18 ty-two of this article, publicly available on its website. If an author-
19 ization form is customized for each individual, the regulated entity may
20 instead publicly post a sample authorization form on its website.
21 § 1122. Lawfulness of processing regulated health information. 1. In
22 general, it shall be unlawful for a regulated entity to:
23 (a) sell an individual's regulated health information to a third
24 party; or
25 (b) otherwise process an individual's regulated health information
26 unless:
27 (i) The individual has provided valid authorization for such process-
28 ing as set forth in paragraph (b) of subdivision two of this section; or
29 (ii) Processing of an individual's regulated health information is
30 strictly necessary for the purpose of:
31 (A) providing or maintaining a specific product or service requested
32 by such individual;
33 (B) conducting the regulated entity's internal business operations,
34 which exclude any activities related to marketing, advertising, research
35 and development, or providing products or services to third parties;
36 (C) protecting against malicious, fraudulent, or illegal activity;
37 (D) detecting, responding to, or preventing security incidents or
38 threats;
39 (E) protecting the vital interests of an individual;
40 (F) investigating, establishing, exercising, preparing for, or defend-
41 ing legal claims; or
42 (G) complying with the regulated entity's legal obligations.
43 2. Unless processing of an individual's regulated health information
44 is strictly necessary pursuant to subparagraph (ii) of paragraph (b) of
45 subdivision one of this section, a regulated entity that processes regu-
46 lated health information pursuant to valid authorization as required by
47 subparagraph (i) of paragraph (b) of subdivision one of this section
48 shall comply with the following:
49 (a) A request for authorization to process an individual's regulated
50 health information shall:
51 (i) be made separately from any other transaction or part of a trans-
52 action;
53 (ii) be made at least twenty-four hours after an individual creates an
54 account or first uses the requested product or service;
A. 2141 4
1 (iii) be made in the absence of any mechanism that has the purpose or
2 substantial effect of obscuring, subverting, or impairing an individ-
3 ual's decision-making regarding authorization for processing;
4 (iv) if requesting authorization for multiple categories of processing
5 activities, allow the individual to provide or withhold authorization
6 separately for each category of processing activity; and
7 (v) not include any request for authorization for a processing activ-
8 ity for which an individual has withheld or revoked authorization within
9 the past calendar year.
10 (b) A valid authorization shall include:
11 (i) the types of regulated health information to be processed;
12 (ii) the nature of the processing activity;
13 (iii) the specific purposes for such processing;
14 (iv) the names where readily available, or categories of service
15 providers and third parties to which the regulated entity may disclose
16 the individual's regulated health information and the purposes for such
17 disclosure, including the circumstances under which the regulated entity
18 may disclose regulated health information to law enforcement;
19 (v) any monetary or other valuable consideration the regulated entity
20 may receive in connection with processing the individual's regulated
21 health information, where applicable;
22 (vi) that failing to provide authorization will not affect the indi-
23 vidual's experience of using the regulated entity's products or
24 services;
25 (vii) the expiration date of the authorization, which may be up to one
26 year from the date authorization was provided;
27 (viii) the mechanism by which the individual may revoke authorization
28 prior to expiration;
29 (ix) the mechanism by which the individual may request access to and
30 deletion of their regulated health information;
31 (x) any other information material to an individual's decision-making
32 regarding authorization for processing; and
33 (xi) the signature, which may be electronic, of the individual who is
34 the subject of the regulated health information, or a parent or guardian
35 authorized by law to take actions of legal consequence on behalf of the
36 individual who is the subject of the regulated health information, and
37 the date.
38 (c) (i) A regulated entity that receives authorization for processing
39 shall provide an effective, efficient, and easy-to-use mechanism by
40 which an individual may revoke authorization at any time through an
41 interface the individual regularly uses in connection with the regulated
42 entity's product or service.
43 (ii) Upon an individual's revocation of authorization, the regulated
44 entity shall immediately cease all processing activities for which
45 authorization was revoked, except to the extent necessary to comply with
46 the regulated entity's legal obligations.
47 (iii) For individuals who have an online account with the regulated
48 entity, the regulated entity must provide, in a conspicuous and easily
49 accessible place within the account settings, a list of all processing
50 activities for which the individual has provided authorization and, for
51 each processing activity, allow the individual to revoke authorization
52 in the same place with one motion or action.
53 (d) Upon obtaining valid authorization from an individual, the regu-
54 lated entity shall provide that individual a copy of the authorization.
55 The authorization shall be provided in a manner that is capable of being
56 retained by the individual.
A. 2141 5
1 (e) The regulated entity shall limit its processing to what was clear-
2 ly disclosed to an individual pursuant to paragraph (b) of this subdivi-
3 sion when the regulated entity received authorization from the individ-
4 ual.
5 (f) If the regulated entity seeks to materially alter its processing
6 activities for regulated health information collected pursuant to
7 authorization, the regulated entity shall obtain a new authorization for
8 the new or altered processing activity.
9 (g) Providing a product or service requested by an individual must not
10 be made contingent on providing authorization. The regulated entity must
11 not discriminate against an individual for withholding authorization,
12 such as by charging different prices or rates for products or services,
13 including through the use of discounts or other benefits, imposing
14 penalties, or providing a different level or quality of services or
15 goods to the individual.
16 3. A regulated entity that processes regulated health information
17 pursuant to a permissible purpose pursuant to subparagraph (ii) of para-
18 graph (b) of subdivision one of this section shall comply with the
19 following:
20 (a) A regulated entity shall provide clear and conspicuous notice that
21 describes:
22 (i) the types of regulated health information to be processed;
23 (ii) the nature of the processing activity;
24 (iii) the specific purposes for such processing;
25 (iv) the names where readily available, or categories of service
26 providers and third parties to which the regulated entity may disclose
27 the individual's regulated health information and the purposes for such
28 disclosure, including the circumstances under which the regulated entity
29 may disclose regulated health information to law enforcement; and
30 (v) the mechanism by which the individual may request access to and
31 deletion of their regulated health information.
32 (b) If the regulated entity materially alters its processing activ-
33 ities for regulated health information collected pursuant to a permissi-
34 ble purpose, the regulated entity must provide a clear and conspicuous
35 notice in plain language, separate from a privacy policy, terms of
36 service, or similar document, that describes any material changes to the
37 processing activities and provide the individual with an opportunity to
38 request deletion of their regulated health information.
39 § 1123. Individual rights. 1. (a) A regulated entity shall make avail-
40 able an effective, efficient, and easy-to-use mechanism through an
41 interface the individual regularly uses in connection with the regulated
42 entity's product or service by which an individual may request access to
43 their regulated health information.
44 (b) Within thirty days of receiving an access request, the regulated
45 entity shall make available a copy of all regulated health information
46 about the individual that the regulated entity maintains or that service
47 providers maintain on behalf of the regulated entity.
48 2. (a) A regulated entity shall make available an effective, effi-
49 cient, and easy-to-use mechanism through an interface the individual
50 regularly uses in connection with the regulated entity's product or
51 service by which an individual may request the deletion of their regu-
52 lated health information.
53 (b) An individual's request to delete or cancel their online account
54 shall be treated as a request to delete the individual's regulated
55 health information.
A. 2141 6
1 (c) Within thirty days of receiving a deletion request, the regulated
2 entity shall:
3 (i) Delete all regulated health information associated with the indi-
4 vidual in the regulated entity's possession or control, except to the
5 extent necessary to comply with the regulated entity's legal obli-
6 gations; and
7 (ii) Unless it proves impossible or involves disproportionate effort
8 that is documented in writing by the regulated entity, communicate such
9 request to each service provider or third party that processed the indi-
10 vidual's regulated health information in connection with a transaction
11 involving the regulated entity occurring within one year preceding the
12 individual's request.
13 (d) Any service provider or third party that receives notice of an
14 individual's deletion request shall within thirty days delete all regu-
15 lated health information associated with the individual in its
16 possession or control, except to the extent necessary to comply with its
17 legal obligations.
18 3. Any right set forth in this section may be exercised at any time by
19 the individual who is the subject of the regulated health information or
20 an agent authorized by such individual.
21 § 1124. Security. 1. In general, a regulated entity shall develop,
22 implement, and maintain reasonable administrative, technical, and phys-
23 ical safeguards to protect the security, confidentiality, and integrity
24 of regulated health information.
25 2. A regulated entity must securely dispose of an individual's regu-
26 lated health information pursuant to a publicly available retention
27 schedule within a reasonable time, and in no event later than sixty
28 days, after it is no longer necessary to maintain for the permissible
29 purpose or purposes identified in the notice or for which the individual
30 provided valid authorization.
31 § 1125. Service providers. 1. In general, any processing of regulated
32 health information by a service provider on behalf of a regulated entity
33 shall be governed by a written, binding agreement. Such agreement shall
34 clearly set forth instructions for processing regulated health informa-
35 tion, the nature and purpose of processing, the duration of processing,
36 and the rights and obligations of both parties.
37 2. An agreement pursuant to subdivision one of this section shall
38 require that the service provider:
39 (a) ensure that each person processing regulated health information is
40 subject to a duty of confidentiality with respect to such information;
41 (b) protect regulated health information in a manner consistent with
42 the requirements of this article;
43 (c) process regulated health information only when and to the extent
44 necessary to comply with its obligations to the regulated entity;
45 (d) not combine the regulated health information which the service
46 provider receives from or on behalf of the regulated entity with any
47 other personal information which the service provider receives from or
48 on behalf of another party or collects from its own relationship with
49 individuals;
50 (e) comply with any exercises of an individual's rights under section
51 eleven hundred twenty-three of this article upon the request of the
52 regulated entity and notify any service providers or third parties to
53 which it disclosed regulated health information of the request;
54 (f) delete or return all regulated health information to the regulated
55 entity at the end of the provision of services, unless retention of the
56 regulated health information is required by law;
A. 2141 7
1 (g) upon the reasonable request of the regulated entity, make avail-
2 able to the regulated entity all data in its possession necessary to
3 demonstrate the service provider's compliance with the obligations in
4 this section;
5 (h) allow, and cooperate with, reasonable assessments by the regulated
6 entity or the regulated entity's designated assessor for purposes of
7 evaluating compliance with the obligations of this article. Alterna-
8 tively, the service provider may arrange for a qualified and independent
9 assessor to conduct an assessment of the service provider's policies and
10 technical and organizational measures in support of the obligations
11 under this article using an appropriate and accepted control standard or
12 framework and assessment procedure for such assessments. The service
13 provider shall provide a report of such assessment to the regulated
14 entity upon request;
15 (i) notify the regulated entity a reasonable time in advance before
16 disclosing or transferring regulated health information to any further
17 service providers, which may be in the form of a regularly updated list
18 of further service providers that may access regulated health informa-
19 tion; and
20 (j) engage any further service provider pursuant to a written, binding
21 agreement that includes the contractual requirements provided in this
22 section, containing at minimum the same obligations that the service
23 provider has entered into with regard to regulated health information.
24 § 1126. Exemptions. Nothing in this article shall apply to:
25 1. information processed by local, state, and federal governments, and
26 municipal corporations;
27 2. protected health information that is collected by a covered entity
28 or business associate governed by the privacy, security, and breach
29 notification rules issued by the United States Department of Health and
30 Human Services, Parts 160 and 164 of Title 45 of the Code of Federal
31 Regulations, established pursuant to the Health Insurance Portability
32 and Accountability Act of 1996 (Public Law 104-191) and the Health
33 Information Technology for Economic and Clinical Health Act (Public Law
34 111-5);
35 3. any covered entity governed by the privacy, security, and breach
36 notification rules issued by the United States Department of Health and
37 Human Services, Parts 160 and 164 of Title 45 of the Code of Federal
38 Regulations, established pursuant to the Health Insurance Portability
39 and Accountability Act of 1996 (Public Law 104-191), to the extent the
40 covered entity maintains patient information in the same manner as
41 protected health information as described in subdivision two of this
42 section; and
43 4. information collected as part of a clinical trial subject to the
44 Federal Policy for the Protection of Human Subjects, also known as the
45 Common Rule, pursuant to good clinical practice guidelines issued by the
46 International Council for Harmonisation or pursuant to human subject
47 protection requirements of the United States Food and Drug Adminis-
48 tration.
49 § 1127. Enforcement. 1. Whenever it appears to the attorney general,
50 either upon complaint or otherwise, that any person or persons, within
51 or outside the state, has engaged in or is about to engage in any of the
52 acts or practices stated to be unlawful under this article, the attorney
53 general may bring an action or special proceeding in the name and on
54 behalf of the people of the state of New York to enjoin any violation of
55 this article, to obtain restitution of any moneys or property obtained
56 directly or indirectly by any such violation, to obtain disgorgement of
A. 2141 8
1 any profits obtained directly or indirectly by any such violation, to
2 obtain civil penalties of not more than fifteen thousand dollars per
3 violation or twenty percent of revenue obtained from New York consumers
4 within the past fiscal year, whichever is greater, and to obtain any
5 such other and further relief as the court may deem proper, including
6 preliminary relief.
7 2. The remedies provided by this section shall be in addition to any
8 other lawful remedy available.
9 3. Any action or special proceeding brought by the attorney general
10 pursuant to this section must be commenced within six years of the date
11 on which the attorney general became aware of the violation.
12 4. In connection with any proposed action or special proceeding under
13 this section, the attorney general is authorized to take proof and make
14 a determination of the relevant facts, and to issue subpoenas in accord-
15 ance with the civil practice law and rules. The attorney general may
16 also require such other data and information as they may deem relevant
17 and may require written responses to questions under oath. Such power of
18 subpoena and examination shall not abate or terminate by reason of any
19 action or special proceeding brought by the attorney general under this
20 article.
21 5. This section shall apply to all acts declared to be unlawful in
22 this article, whether or not subject to any other law of this state, and
23 shall not supersede, amend or repeal any other law of this state under
24 which the attorney general is authorized to take any action or conduct
25 any inquiry.
26 6. The attorney general may promulgate such rules and regulations as
27 are necessary to effectuate and enforce the provisions of this section.
28 § 1128. Contracts and waivers void and unenforceable. 1. Any contrac-
29 tual provision inconsistent with this article shall be void and unen-
30 forceable.
31 2. Any waiver by any individual of the provisions of this article
32 shall be void and unenforceable.
33 § 2. Severability. If any clause, sentence, paragraph, subdivision,
34 section or part of this act shall be adjudged by any court of competent
35 jurisdiction to be invalid, such judgment shall not affect, impair, or
36 invalidate the remainder thereof, but shall be confined in its operation
37 to the clause, sentence, paragraph, subdivision, section or part thereof
38 directly involved in the controversy in which such judgment shall have
39 been rendered. It is hereby declared to be the intent of the legislature
40 that this act would have been enacted even if such invalid provisions
41 had not been included herein.
42 § 3. This act shall take effect one year after it shall have become a
43 law. Effective immediately, the addition, amendment and/or repeal of any
44 rule or regulation necessary for the implementation of this act on its
45 effective date are authorized to be made and completed on or before such
46 effective date.
The bill (described above) is different from another bill (S.1633/A.2613) that was put together by a sub-group of advocates and technical experts who have been attending a Workgroup (tasked by DoH Commissioner James McDonald and hosted by the
NYeHealth Collaborative in NYC) called the NYS Health Data Privacy Workgroup. The Workgroup began meeting in mid-September. I was appointed to participate and represent our members and the behavioral health community at large.
There were only a few meetings before the Workgroup that was initially tasked with coming up with a set of recommendations for the Commissioner that could be presented to the Executive and the Legislature for further consideration during this legislative session, began drafting proposed legislation. I was not part of this effort.
The bill is aimed at giving NYS healthcare clients additional rights to suppress certain portions of their electronic health records (through the use of EHR segmentation and an opt out process) while trying to address the fragmentation that currently exists in the information sharing processes that have been developed across NYS to this point. EHR segmentation was a big topic at the table. Privacy advocates were adamant that the care recipient be permitted to suppress certain information from being shared with other healthcare providers/networks, etc.
Again, the legislation (S.1633/A.2613) is still pending before both houses of the legislature.
Here’s the language of the bill:
STATE OF NEW YORK ____________________________________________________________ ____________ 2613 2025-2026 Regular Sessions IN ASSEMBLY January 21, 2025 ___________ Introduced by M. of A. LUNSFORD, TAPIA, ROZIC -- read once and referred to the Committee on Health AN ACT to amend the public health law, in relation to providing addi- tional protections for sensitive health information and requiring all health information networks, electronic health record systems, and health care providers to provide patients with a right to restrict the disclosures of such patient's health information The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The public health law is amended by adding two new sections 2 25 and 26 to read as follows: 3 § 25. Privacy of information disclosed through health information 4 networks. 1. Definitions. For purposes of this section: 5 (a) "Business associate" shall have the same meaning as set forth in 6 45 CFR 160.103. 7 (b) "Codified sensitive information" means patient information that, 8 by associated standard codes commonly used in the exchange of patient 9 information including, but not limited to ICD-10 or SNOMED, can be iden- 10 tified as sensitive information in accordance with subdivision three of 11 this section. 12 (c) "Disclosure" means the release, transfer, provision of access to, 13 or divulging in any manner of information outside the entity that deliv- 14 ered the health care and the patient who received the care, and such 15 term shall not include any of the exceptions set forth in the definition 16 of "disclosure to any other person" as defined in paragraph (e) of 17 subdivision one of section eighteen of this chapter. 18 (d) "Electronic health records system" means any entity operating in 19 the state of New York that electronically stores or maintains patient 20 information, electronic health records, personal health records, health 21 care claims, or payment and other administrative data on behalf of a EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD04417-02-5
A. 2613 2
1 health care provider, health care service plan, pharmaceutical company,
2 contractor, or employer.
3 (e) "Health care provider" shall have the same meaning as set forth in
4 paragraph (b) of subdivision one of section eighteen of this title and
5 for purposes of this section shall refer to health care providers that
6 are located in the state of New York and use a health information
7 network to receive, hold or exchange patient information on their
8 behalf.
9 (f) "Health information network" shall mean any entity, including a
10 health information technology developer of certified health information
11 technology, that receives, holds or exchanges patient information in
12 electronic form on behalf of a health care provider and makes such
13 information available to two or more individuals or entities that are
14 unaffiliated with the health care provider for purposes of treatment,
15 payment, or health care operations, as those terms are defined under
16 HIPAA, or a qualified health information network as established under
17 TEFCA, which exchanges patient information on behalf of a health care
18 provider located in the state of New York. An entity may qualify as a
19 "health information network" irrespective of whether such entity
20 receives funding from the department. The term "health information
21 network" shall not include:
22 (i) a health care provider;
23 (ii) an entity that makes patient information available solely:
24 (1) from one health care provider to a single health care provider as
25 part of a referral, prescription, or consultation;
26 (2) as necessary for the payment of a health care claim;
27 (3) among affiliates of a single health care provider;
28 (4) to individuals and entities under contract with the entity who
29 meet the definition of a "business associate" under HIPAA and who proc-
30 ess patient information only as directed by a health care provider and
31 do not disclose patient information; or
32 (5) as necessary to operate clinical data registries, provide organ
33 donation coordination services and other similar services as deemed
34 appropriate by the department in regulation;
35 (iii) a health insurer or a health maintenance organization, when
36 acting as a health insurer, to the extent it exchanges patient informa-
37 tion via HIPAA standard transactions; and
38 (iv) an entity that makes patient information available solely to and
39 between health information networks and has no ability to access, modi-
40 fy, or further disclose patient information, including, but not limited
41 to, the recognized coordinating entity under TEFCA.
42 (g) "HIPAA" means the Health Insurance Portability and Accountability
43 Act of 1996 and its implementing regulations at 45 C.F.R. Parts 160,
44 162, and 164.
45 (h) "Non-codified sensitive information" means patient information
46 that contains or reveals sensitive information, but that is not associ-
47 ated with standardized codes and shall include, but is not limited to
48 notes, visit summaries, laboratory results and images.
49 (i) "Patient information" shall have the same meaning as set forth in
50 paragraph (e) of subdivision one of section eighteen of this chapter.
51 (j) "Qualified person" shall have the same meaning as set forth in
52 paragraph (g) of subdivision one of section eighteen of this title.
53 (k) "Sensitive information" means patient information that contains or
54 reveals reproductive health services as defined in paragraph (a) of
55 subdivision one of section sixty-five hundred thirty-one-b of the educa-
56 tion law, gender-affirming care as defined in paragraph (c) of subdivi-
A. 2613 3
1 sion one of section sixty-five hundred thirty-one-b of the education
2 law, care protected under 42 CFR part 2, diagnosis and treatment for a
3 sexually transmitted infection or HIV, mental health services, alcohol
4 or substance use treatment, and any other health care services deter-
5 mined by the commissioner through regulations, in consultation with
6 health care providers, patient advocates, health information networks
7 and other relevant stakeholders.
8 (l) "TEFCA" means the Trusted Exchange Framework and Common Agreement
9 authorized by the 21st Century Cures Act.
10 2. Patient right to restrict disclosures by health information
11 networks. Within one hundred eighty days from the effective date of this
12 section, the department shall establish rules and regulations requiring
13 any health information network to:
14 (a) provide qualified persons with the means of requesting, without
15 undue effort, restrictions on disclosures of patient information from
16 all health information networks;
17 (b) subject to any regulatory exceptions established by the depart-
18 ment, abide by the terms of a qualified person's requested restriction
19 made under paragraph (a) of this subdivision; and
20 (c) subject to any regulatory exceptions established by the depart-
21 ment, provide or cause to be provided to qualified persons, upon
22 request, a report or notifications detailing disclosures of the applica-
23 ble patient's patient information by or through all health information
24 networks.
25 3. Additional protections for codified sensitive information by health
26 information networks. (a) Within one hundred eighty days from the effec-
27 tive date of this section, the department shall establish rules and
28 regulations, consistent with state and federal law and regulations,
29 including but not limited to article thirty-three of the mental hygiene
30 law and section twenty-seven hundred eighty-two of this chapter, requir-
31 ing any health information network to:
32 (i) develop the capacity to limit the disclosure of codified sensitive
33 information while allowing for the disclosure of a patient's other
34 health information;
35 (ii) when directed by a qualified person, limit user access privileges
36 to codified sensitive information to only those HIPAA covered entities
37 whom the qualified person has specifically authorized to access the
38 codified sensitive information;
39 (iii) provide the ability to automatically disable access to codified
40 sensitive information by an individual or entity located outside the
41 state of New York as directed by a qualified person; and
42 (iv) unless otherwise ordered by a court of competent jurisdiction,
43 notify the qualified person and the provider who rendered the health
44 care documented in the codified sensitive information at least thirty
45 days prior to complying with a civil, criminal, or regulatory inquiry,
46 investigation, subpoena, or summons for codified sensitive information.
47 (b) Such rules and regulations shall also:
48 (i) establish a list of procedure codes, diagnosis codes, medication
49 codes, and other appropriate codes that constitute codified sensitive
50 information;
51 (ii) set forth exceptions to the requirement to block the disclosure
52 of codified sensitive information as required by paragraph (a) of this
53 subdivision, including for disclosures to individuals and entities under
54 contract with a health information network who meet the definition of a
55 "business associate" under HIPAA and who do not re-disclose such patient
56 information; and
A. 2613 4
1 (iii) establish guidelines for the authorization necessary to limit
2 disclosure of codified sensitive information pursuant to subparagraphs
3 (ii) and (iii) of paragraph (a) of this subdivision.
4 4. Additional protections for sensitive information by electronic
5 health records systems. (a) Within one hundred eighty days of the effec-
6 tive date of this section, the department shall establish rules and
7 regulations, consistent with state and federal law and regulations,
8 including but not limited to article thirty-three of the mental hygiene
9 law and section twenty-seven hundred eighty-two of this chapter, requir-
10 ing any electronic health records system to:
11 (i) develop the capacity to provide qualified persons with the means
12 of requesting, without undue effort, restrictions on disclosures of
13 patient information;
14 (ii) develop the capacity to limit the disclosure of codified sensi-
15 tive information while allowing for the disclosure of a patient's other
16 health information;
17 (iii) when directed by a qualified person, limit user access privi-
18 leges to codified sensitive information to only those HIPAA covered
19 entities whom the qualified person has specifically authorized to access
20 the sensitive information;
21 (iv) provide the ability to automatically disable access to codified
22 sensitive information by an individual or entity located outside the
23 state of New York as directed by a qualified person; and
24 (v) unless otherwise ordered by a court of competent jurisdiction,
25 notify the qualified person and the provider who rendered the health
26 care documented in the codified sensitive information at least thirty
27 days prior to complying with a civil, criminal, or regulatory inquiry,
28 investigation, subpoena, or summons for codified sensitive information.
29 (b) Within one year of the effective date of this section, the depart-
30 ment shall establish rules and regulations, consistent with state and
31 federal law and regulations, including but not limited to article thir-
32 ty-three of the mental hygiene law and section twenty-seven hundred
33 eighty-two of this chapter, requiring any electronic health records
34 system to:
35 (i) develop the capacity to limit the disclosure of non-codified
36 sensitive information while allowing for the disclosure of a patient's
37 other health information;
38 (ii) when directed by a qualified person, limit user access privileges
39 to non-codified sensitive information to only those HIPAA covered enti-
40 ties whom the qualified person has specifically authorized to access the
41 non-codified sensitive information;
42 (iii) provide the ability to automatically disable access to non-codi-
43 fied sensitive information by an individual or entity located outside
44 the state of New York as directed by a qualified person; and
45 (iv) unless otherwise ordered by a court of competent jurisdiction,
46 notify the qualified person and the provider who rendered the health
47 care documented in the non-codified sensitive information at least thir-
48 ty days prior to complying with a civil, criminal, or regulatory
49 inquiry, investigation, subpoena, or summons for non-codified sensitive
50 information.
51 (c) The rules and regulations required by paragraphs (a) and (b) of
52 this subdivision shall also:
53 (i) set forth exceptions to the requirement to block the disclosure of
54 codified and non-codified sensitive information as required by para-
55 graphs (a) and (b) of this subdivision, including for disclosures to
56 individuals and entities under contract with a health information
A. 2613 5
1 network who meet the definition of a "business associate" under HIPAA
2 and who do not re-disclose such patient information; and
3 (ii) establish guidelines for the authorization necessary to limit
4 disclosure of codified and non-codified sensitive information pursuant
5 to subparagraphs (iii) and (iv) of paragraph (a) and subparagraphs (ii)
6 and (iii) of paragraph (b) of this section.
7 5. Authorization. Notwithstanding section eighteen of this title and
8 subdivision twenty-three of section sixty-five hundred thirty of the
9 education law, a health information network that abides by a qualified
10 person's request to limit disclosure of sensitive information shall not
11 be otherwise required to obtain authorization for the disclosure of
12 patient information, unless authorization is required in accordance with
13 subdivisions three or four of this section, article twenty-seven-F of
14 this chapter, the provisions of section seventeen of this title related
15 to prohibiting the release to an infant patient's parent or guardian of
16 information related to the treatment of such infant patient for venereal
17 disease or the performance of an abortion operation upon such infant
18 patient, section 33.13 of the mental hygiene law, section seventy-nine-l
19 of the civil rights law, section three hundred ninety-four-e of the
20 general business law, 42 CFR part 2, HIPAA, or other relevant federal,
21 state, or local laws.
22 § 26. Privacy of patient information held by health care providers.
23 1. Definitions. For purposes of this section:
24 (a) "Disclosure" means the release, transfer, provision of access to,
25 or divulging in any manner of information outside the entity that deliv-
26 ered the health care and the patient who received the care, and such
27 term shall not include any of the exceptions set forth in the definition
28 of "disclosure to any other person" as defined in paragraph (e) of
29 subdivision one of section eighteen of this chapter.
30 (b) "Health care provider" shall have the same meaning as set forth in
31 paragraph (b) of subdivision one of section eighteen of this chapter.
32 (c) "HIPAA" shall have the same meaning as set forth in paragraph (g)
33 of subdivision one of section twenty-five of this title.
34 (d) "Patient information" shall have the same meaning as set forth in
35 paragraph (e) of subdivision one of section eighteen of this title.
36 (e) "Qualified person" shall have the same meaning as set forth in
37 paragraph (g) of subdivision one of section eighteen of this title.
38 (f) "Sensitive information" shall have the same meaning as set forth
39 in paragraph (k) of subdivision one of section twenty-five of this
40 title.
41 2. Patient right to restrict disclosures by health care providers.
42 (a) Within one hundred eighty days from the effective date of this
43 subdivision, the department shall establish rules and regulations that
44 require health care providers to take reasonable steps to:
45 (i) provide qualified persons with the means of requesting
46 restrictions on disclosures of patient information consistent with the
47 obligations imposed by section twenty-five of this article;
48 (ii) notify qualified persons of their right to restrict the disclo-
49 sure of patient information;
50 (iii) subject to any regulatory exceptions established by the depart-
51 ment, abide by the terms of a qualified person's requested restriction;
52 and
53 (iv) unless otherwise ordered by a court of competent jurisdiction,
54 notify the qualified person at least thirty days prior to complying with
55 a civil, criminal, or regulatory inquiry, investigation, subpoena, or
56 summons for sensitive information.
A. 2613 6
1 (b) The department's rules and regulations shall set forth exceptions
2 to a qualified person's right to restrict disclosures and shall include,
3 at a minimum, exceptions for:
4 (i) disclosures to public health authorities located in the state of
5 New York in accordance with New York law;
6 (ii) disclosures necessary to facilitate payment of a health care
7 claim;
8 (iii) disclosures necessary to ensure that a provider is in compliance
9 with applicable quality of care, licensure or accreditation standards;
10 and
11 (iv) disclosures strictly necessary to fill a prescription or provide
12 a service.
13 (c) The department shall establish phase-in periods for health care
14 providers to implement the requirements of this subdivision, taking into
15 account the technical feasibility of implementing restrictions among
16 various sectors, including (i) small health care providers; and (ii)
17 health care providers in sectors that do not typically utilize certified
18 health information technology, as well as the time it takes for the
19 health information systems or electronic health record systems to devel-
20 op and implement the capacity to segment health records.
21 (d) The department shall provide guidance to health care providers,
22 including model notices health care providers may use to notify quali-
23 fied persons to permit them to exercise their rights under this subdivi-
24 sion. Such guidance shall recommend more prominent notices and means
25 for a qualified person to exercise their rights in health care settings
26 where sensitive information is frequently generated as part of patients'
27 health care records.
28 3. Authorization for a health care provider's disclosure of patient
29 information. Notwithstanding section eighteen of this title and subdivi-
30 sion twenty-three of section sixty-five hundred thirty of the education
31 law, if a health care provider has provided actual notice to a qualified
32 person of such person's right to restrict disclosures of patient infor-
33 mation in accordance with the requirements of subdivision two of this
34 section and abides by a qualified person's request to restrict disclo-
35 sures, no authorization shall be required for such health care provider
36 to disclose a patient's other patient information unless authorization
37 is required by this section or section twenty-five of this title, arti-
38 cle twenty-seven-F of this chapter, the provisions of section seventeen
39 of this title relating to prohibiting the release to an infant patient's
40 parent or guardian of information related to the treatment of such
41 infant patient for venereal disease or the performance of an abortion
42 operation upon such infant patient, section 33.13 of the mental hygiene
43 law, section seventy-nine-l of the civil rights law, section three
44 hundred ninety-four-e of the general business law, 42 CFR part 2, HIPAA,
45 or other relevant federal, state, or local laws.
46 4. Authorization for a health care provider's request for patient
47 information. Notwithstanding section eighteen of this title and subdivi-
48 sion twenty-three of section sixty-five hundred thirty of the education
49 law, if a health care provider provides actual notice to qualified
50 persons that it makes routine requests for patient information from
51 other individuals or entities, no authorization shall be required to
52 make a request for patient information unless authorization is required
53 by this section or section twenty-five of this title, article
54 twenty-seven-F of this chapter, the provisions of section seventeen of
55 this title relating to prohibiting the release to an infant patient's
56 parent or guardian of information related to the treatment of such
A. 2613 7
1 infant patient for venereal disease or the performance of an abortion
2 operation upon such infant patient, section 33.13 of the mental hygiene
3 law, section seventy-nine-l of the civil rights law, section three
4 hundred ninety-four-e of the general business law, 42 CFR part 2, HIPAA,
5 or other relevant federal, state, or local laws.
6 5. Disclosure of de-identified patient information. Nothing in this
7 section shall prohibit a health care provider's disclosure of de-identi-
8 fied patient information for the purposes of quality assurance or
9 improvement activities, clinical trials or research. For purposes of
10 this section, "de-identified" means that the information cannot identify
11 or be made to identify or be associated with a particular individual,
12 directly or indirectly and is subject to technical safeguards and poli-
13 cies and procedures that prevent re-identification, whether inten-
14 tionally or unintentionally, of any individual.
15 § 2. Severability. If any provision of this act, or any application of
16 any provision of this act, is held to be invalid, or ruled to violate or
17 be inconsistent with any applicable federal law or regulation, that
18 shall not affect the validity or effectiveness of any other provision of
19 this act, or of any other application of any provision of this act. It
20 is hereby declared to be the intent of the legislature that this act
21 would have been enacted even if such invalid provisions had not been
22 included herein.
23 § 3. This act shall take effect immediately.